From: Daniel W. <d...@ni...> - 2007-11-01 12:20:13
|
> >>> Of course the issue may be our end with our session management but our >>> other webpages seem to operate fine without sessions / cookies being >>> lost willy-nilly. >>> >>> Particularly the corrupted cookie issue sounds like something >>> squirrelmail should be able to take care of by completely clearing all >>> existing cookie records upon login. Having users manually delete old >>> cookies browser-side is hard work. > > I think you are barking up the wrong tree. > > You might start by upgrading - 1.4.8 is full of security issues. We're actually working on 1.5.2 - 1.4.8 is only provided as a legecy login incase there were problems on the new system. > >>> Not sure what I'm asking specifically here - may be I just want to check >>> if we alone are experiencing these issues? >>> >> I have a clue about this. I think a plugin or some kind of function >> tries to access a file or folder incorrectly. This is caught by the >> index.php which redirects the user to login.php. >> >> login.php kills the session! > > As it should. > >> So the next action the user does is greeted with 'you must be logged in'. >> >> How big a problem is it if I stop login.php from killing the session? > > Why do you want to fiddle with the core when the problem is broken > code elsewhere? You should do the hard work and find the problem > itself. We were doing hard work - just asking whether we could roll that out as a 'quick fix' in the meantime. As it turns out we finally found the problem yesterday... For your interest: The function general_util.php:get_icon_path() for generating folder list icon images was (correctly) returning null when the Icon Theme was turned off. Our template code was not correctly accounting for null and generating html like <img src="">. In IE it seems that the browser interprets this as a request for the index file of the current page. This was redirected to SMROOT/index.php and subsequently to login.php. Thus every user with themes turned off had their session killed as soon as the folder list loaded. Other browsers usefully ignored the empty src image and did not trigger the problem. ------------------- As an aside - it was really hard to find the problem. We were trying to work out the 'backtrace' for login.php. But since it was being hit via header() redirects, we couldn't find any way of tracking back. $_SERVER didnt' seem to have any useful data (was looking for REFERER info) and the apache access_log didn't seem to offer anything either. How would you have traced the problem back? |